Commit 9c09ed13 authored by Adam Langley's avatar Adam Langley

x509: support non-self-signed certs.

For generating non-self-signed certs we need to be able to specify a
public key (for the signee) which is different from the private key (of
the signer).

R=rsc
CC=golang-dev
https://golang.org/cl/1741045
parent 400f7a6b
......@@ -761,19 +761,20 @@ var (
// MaxPathLen, SubjectKeyId, DNSNames.
//
// The certificate is signed by parent. If parent is equal to template then the
// certificate is self-signed.
// certificate is self-signed. pub is the public key of the signee. priv is the
// private key of the signer.
//
// The returned slice is the certificate in DER encoding.
func CreateCertificate(rand io.Reader, template, parent *Certificate, priv *rsa.PrivateKey) (cert []byte, err os.Error) {
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err os.Error) {
asn1PublicKey, err := asn1.MarshalToMemory(rsaPublicKey{
N: asn1.RawValue{Tag: 2, Bytes: priv.PublicKey.N.Bytes()},
E: priv.PublicKey.E,
N: asn1.RawValue{Tag: 2, Bytes: pub.N.Bytes()},
E: pub.E,
})
if err != nil {
return
}
if len(template.SubjectKeyId) > 0 && len(parent.SubjectKeyId) > 0 {
if len(parent.SubjectKeyId) > 0 {
template.AuthorityKeyId = parent.SubjectKeyId
}
......
......@@ -174,7 +174,7 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
DNSNames: []string{"test.example.com"},
}
derBytes, err := CreateCertificate(urandom, &template, &template, priv)
derBytes, err := CreateCertificate(urandom, &template, &template, &priv.PublicKey, priv)
if err != nil {
t.Errorf("Failed to create certificate: %s", err)
return
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment